So how's it going, DEF CON? Well, Nick and I appreciate
coming out and hearing us talk. This talk is called the dirty
south, getting justified with technology. And we'll be getting
into that in just a minute here. But really appreciate coming out
and always honored to speak here year after year again. Just a
quick introduction. I'm the author of the social engineer
toolkit. I'm also founder of trusted sec and consulting
company. And co-author of the penetration testers book. And
also been presenting at Black Cat and DEF CON for a number of
years. And one of the co-founders of Derby CON. So
appreciate again coming up on stage and talking. All right. I
am Nick. And I can see that the slide has been modified
slightly. Thank you, Dave. Also for trusted sec, senior security
consultant with Dave. Been awesome. Pen tester. Breaker of
things. And yes, I'm wearing.
I'm wearing one right now. Derby CON co-organizer. Head of
security there. I'm also a team member of social-engineer.org.
We're doing SCCTF down in Palma. Come down and visit at some
point. Not now because you're here. Besides LV and Delaware
slave. And I haven't wrote a book, but I've read some. So the
intro to this talk is, you know, literally we, you know, if you
look at kind of the evolution of security and where we're at
today and why we're all here today. We're going to talk about
security. It's changed a lot. And so what we're going to do is
we're going to kind of go through the evolution of
security and where we're at today. And then from there we're
just going to break some stuff and get a whole bunch of shells
and do a bunch of other things, okay? So we're going to do some
three major demos. I have one big surprise for everybody here,
which will be, you know, I'm always full of surprises. So
every time you come to my talk you should expect something new.
But Nick and I are basically going to be going through the
evolution of security and really where we're at today. And if you
look at where we're at today, we continue to get new and new
technology that's trying to strengthen and protect our
community and protect against hackers, right? So, you know,
advanced persistent threats and all these other things that we
hear out there to try to protect against, which is funny, right?
But this technology is, you know, becoming more and more
complex and introducing more and more complexity and we're
spending millions and millions of dollars on this type of stuff
to try to protect us. And so today we're going to try to break
it all. Sound good? All right. So the way that we structure this
was an AA meeting. So first we need to realize that we all have
a problem.
All right. So hi, I'm Dave. Hi, I'm Nick.
And welcome. We've been sober from technology, from buying
technology for about two years now. But believe me, we get
tempted every single time. When we see that big, blinky-ass box
that does some cool stuff that we have no idea what it does behind
the scenes, we want to buy and spend a million dollars on it,
trust me. So the way that we structure this is really trying
to break you down into a reality that what this stuff really does,
what it really stops us against and then really start to build
us up on really what we need to do to fix all this stuff.
Because, you know, I see security either going this way
or going this way. And you know what? Either way is going
to be interesting and fun and exciting. But we need to break
you down first to realize where we're kind of at. And so if
anybody is drinking a beer, please drink one right now for
me. Because it's not really AA. It's for technology. So
anyways. So just a warning. We're going to try to walk
through every single technology that we know of that most
corporations implement. All right? But before we do that,
we're going to get kind of into the history of security and why
we're kind of in this vicious cycle of continually, you know,
investing in different types of technology. And then from there
we'll start to actually go and attack them all. Sound good?
All right. Awesome. Nick? All right. So basically history
of security in brief. So we have technology for about a
century, so some type of technology. First the question
is why? Why do we need security for this? Well, someone breaks
something. It's like, oh, oh, okay. I see why we need
security. And then they say, oh, here you go. This will fix
it. And then it breaks again. Five minutes, five years,
whatever. Breaks.
Oh, wait. My bad. I can fix that. No problem. Rinse, repeat.
It's an endless loop of ‑‑ endless cycle, really. So I thought
there was a really interesting story about this ‑‑ the inventor
Marconi. In 1903, his so‑called secure wireless telegraph system
was being tested. And it was touted as the most secure
communication at the time. So a magician by the name of Neville
Maschalini decided, you know what? I'm going to prove him wrong.
So what he did was he hijacked the presentation and sent his own
little message through. And if you know Morse code, that's actually
lulls in Morse code. And he proves his point.
So he proves his point that this is not a secure technology.
So then we get to the age of an actual programmable computer. This is
Zeus 3 where you can actually start to store some information on this. But what was really needed to
secure that at that point? Well, you got to ‑‑ next slide.
Oh, sorry. You got to lock that crap up.
I forgot I had this. Can I have that?
Here you go. Sorry. Sorry. Sorry. You got to lock it up.
Easy enough, right? Lots of locks in the doors. But then ‑‑ I don't know. I think
I know what he's saying. Technology is hard. So then it happened. Al Gore came along.
He invented the Internet. It's amazing. Can we get a round of applause for Al Gore, please?
Thank you. We are all here today because of him.
So now we have the tubes. The tubes are here. They're invented. This opens us up for a whole
mess of different things. We've got anywhere from just your standard virus malwares. We
have phishing. We have just normal malicious stuff that's out there. So, oh, you need some
security. All right.
Well, here's some security. This will protect you. Everything under the sun. AV. You know,
everything to protect clients, organizations. Then they start to realize, oh, we need some
type of protection on the perimeter. Let's put up a firewall. Let's deny all these ports.
Let's only allow what we need through. But something is not working with the state of
technology. So Verizon is not working with the state of technology.
That's not the reason. They did this nine year study. Now over a nine year period,
they found that there was around 2500 data disclosures and 1.1 billion compromised records.
So what happens is, there's some confusion. We're putting all this money and all these
things to protect ourselves but 1.1 billion personal records are being breached. Are being
it. So why? So, you know, we continue to see this. And so a whole new industry is born,
an industry where products can solve the problems of people. And so, you know, you look at these
different products that are out there and the different things that are happening, there's
technology that are specifically designed and made to social engineer us basically into
trying to buy it to solve a specific problem. So the first one I'm going to pick on most
specifically is next generation firewalls, okay? So next generation firewalls are being
touted as, you know, the way to prevent APTs, which if you go to any of their sites, it's all
over there. That's a giggle. You look at all the things they're trying to do, they're trying to
consolidate everything into one type of infrastructure, right, so that you have spam
filtering and, you know, whitelisting and, you know, content filtering, all the stuff that's
kind of built into this to try to protect the perimeter and move everything more towards the
perimeter. And so you're seeing this and companies are buying this so that they can try to stop
against the latest and greatest attacks of today, all right?
So the first demo we're going to do and it's going to be included in the social engineer
toolkit is we're calling it silent but deadly. Thank you, Valerie. Yeah, there she is. That
was her idea. But I'm definitely not silent, but I'm definitely deadly when it comes to
that stuff. So as my roommate can tell me. So what this is going to do, I'm just going
to show you a demonstration using the social engineer toolkit here, okay? This is a Windows
8 machine, fully patched and all that good stuff. We're not going to take advantage of an actual
machine.
That's right. That's right. By the way, the chicken has no relevancy at all to this talk. We
just wanted to put something random in here and then talk about let's pop a box. So that's all we
need here, right? So I'm going to use this. I'm going to use this. I'm going to use the
social engineer toolkit. I'm just going to show you an example of what this does. And I'll be
releasing the code hopefully either today or tomorrow. And basically this is the new version,
version 5.3. Now, I haven't fully integrated the payload, which is why it will be released
either later today or tomorrow. But here's what we're going to do first. We're going to clone a
website and again we're going to coax somebody into clicking on something via social
engineering. Now, oh, my God. What's that? No screen. What happened to the screen?
. . . . . . . . . . . .
. . . . I can see the screen. Can everybody see the screen now?
. . . . . . . . . . . . . . . . All right. I'm not going to be able to do full
screen in this for some reason, but that's cool. We'll deal with it. Hang on. I've got to
minimize this one, too. All right. Does everybody see this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
All right. Everybody got that? Can you see my screen? The logo, ah, it's not mirrored.
That would be why. Jeez. So what we're going to discuss today is how to mirror displays
on OSX. Look at the chicken, everyone. Look. Nothing to see here. All right. Can you see
that? Yeah. Thank you for coming. Bye. All right. So we're going to launch the social
engineer toolkit. What I'm going to do is clone a website really quick. This is a new
payload that I developed. I don't know if you know this or not, but a lot of the new
next gen firewalls are doing behavioral analysis on the network side. Which means they're
protocol aware. So they can see protocols that are going back and forth, all that good
stuff, and they can flag on things that aren't necessarily protocol specific, okay? So
me, loving Metasploit and interpreter and everything else, I wanted to figure out a
way to develop something that would never, ever, ever in any way, shape, or form be detected
again. That's usually what I go for. So I'll grab my IP address here really quick
to clone it. I'm actually going to change it real quick. All right. So I'm going to
do this. There we go. And I'm just going to clone trusted stack so I don't get in trouble
anywhere. All right. That's not supposed to happen. We are connected. We're connected.
Don't you worry. Don't you worry. Sorry. Stop it. There we go. We're good. All right.
That's right. Even hits the best of us, man. All right. So we're going to clone trusted
stack.com. Now what I'm going to do is import my own payload. And this is the code that's
going to be released here. And the code itself is going to be public. But it's basically
Python and then it's wrapped in an executable, okay?
All right. Imported my own EXE. You see it here? See that? All right. We're ready to
go. Now what I need to do is create a quick listener. Now what this is going to do is
we're going to do a social engineering, but this is anything from a post exploitation
standpoint, right? So we're going to hack a company and you're actually going to see
this live here in a minute. We're going to hack a company. It's going to come back to
us. And what's going to happen is we're going to shoot an interpreter in memory in an AES256
encrypted bubble. We're going to wrap that around SSH and then we're going to create a
polymorphic tunnel over HTTP. Okay? Sound pretty cool? RFC compliant HTTP. So right now
it's waiting. We launched the website. And this is just the Java app attack that's built
into the set. So we go ahead and hit run. By the way, please don't report that I have a valid
certificate. That's verified publisher. I forgot about that. So we should see here in a
second we get a response back. If everything went properly. There it goes. Notice encrypted
tunnel identified. Standing challenge to verify. Making sure it's the right session. What
it's going to do is it's going to create an SSH tunnel over HTTP for us. It's going to then
send the interpreter shell via second stage over our local host over to the victim machine.
And then we have a full shell running through the network over native HTTP. Yeah.
. It's pop of box. Now notice here we're tunneling over local host. So it's
actually running through our local host environments over SSH, over HTTP. And then what it does is
it actually chunks it up every single time it does any type of get or post request. So it's a
little slow. But it actually chunks it up different every time and changes the behavior and
patterns every single time. So every single packet that you send is going to be completely
different over HTTP. All right? I forgot to stop it.
I think I'm up now. Yep. Good. Good. So types of next gens. So welcome to the era of
Marty McFly. Simply put, we're dealing with static. Static signatures anomaly detection. So
basically hello antivirus on a different level. Yeah. And if you look at this, what we started
doing an analysis on a lot of the next gen firewalls is their behavioral analysis really dealt
with a lot of signatures anomaly detection. So basically hello antivirus on a different level.
Static signature based detection with some minor modifications or changes based on what
type of payload. Like for example, you know, a lot of the next gen firewalls will flag on a
second stage interpreter. But if you change that and modify it in any way, shape or form just a
little tiny bit, it allows you to get around it and still exfiltrate out over those protocols
whether it's HTTP or anything else. So basically it's just static based signature again. And
we're basically going back to the mid 80s, early 90s just on the network behavioral side of the
house. Okay? One of the next gen firewalls that we're working on right now is called the
firewall claims to stop APT. It's obviously ridiculous. Move to the perimeter. So to me this
is kind of crazy. All right? So security we started like really doing a little bit of a decent job
when we started having firewalls, DMZs, network segmentation, things like that. And we actually
had layers of defense, right? Instead we're like moving to the cloud and mobile devices and
laptops and just everything is completely decentralized and no longer at the perimeter. So
it's all the way out and about. And so that actually creates a pretty large exposure for us
and something that these things aren't going to even come close to touching. Now, next demo.
Oh, that's awesome.
All right, all right, all right. Yes. Thank you, sir. Thank you, sir. We ran into a customer
recently where they were basically ‑‑ I don't know how you manage this, but basically they were
doing white listing of only websites that they actually legitimately allowed. And so a lot of
them still use social media as an allowed exception. But regardless, this is just anything
that you can use that allows you to put information to something that's white listed. Now, what
we're going to be releasing is a new tool that allows a framework for this. So it's going to be
something that allows you to just basically insert a website that may be white listed that's
public, that's used all the time, and then you can use it as an intermediary for encrypted
protocol traffic over HCP as a thing in the middle. So what we're going to do here is just to
show you an example. That's not an example. We're going to run this listener. Now, what's going
to happen is I'm going to launch a payload on my Windows 10. And I'm going to run this listener.
And I'm going to go to my Windows machine. Windows machine is going to connect out to Facebook
with things that I've already predefined. And it's going to allow a direct intermediary over HCP
encrypted traffic to allow us to do more of a command and control all through Facebook. Again,
it's not just ‑‑ it's not a Facebook issue. It's just anything that you have any type of
public access to. So it's going to inject into there. We get our shell. Now, it's really quick.
It's fast. Because we're going to run it. We're going to run it. We're going to run it. We're
going to run it. We're going to run it. Because we're continuously monitoring any major
modifications based off of the notification system, which is nice.
Now, as soon as I type in something like IP config, it takes a second, because I have to post
it, then read it back in, execute the command, post it back up with the data. So it's a little bit
of a lag. It usually takes about four seconds, but I give it eight just in case, especially
for demo purposes. And then we're able to use Facebook as essentially a man in the middle to
communicate. And it can be any website, any website you have the ability to put in your
any type of information off. And that's the new one we'll be releasing for a framework.
All right. So the next one is my favorite. This is the best demo. This is kind of the
pinnacle, okay? So we're going to go through a bunch of different technologies, everything
that we use for corporations, and then from there we're going to kind of expand on it
and see what we can actually do, okay? So behavior analysis. The best, let's say,
we can liken this to the FBI and their behavioral analysis unit. They base their profiles on
behavior and that's exactly what behavior analysis does. But the problem is people can
change their behavior. And so can the attacks, the malware, everything that the attack is
actually based on can be changed.
So we estimate about 30 seconds for this to be bypassed. And we're going to demo how that's
going to be done. Application whitelisting. Really a pain in the butt to manage, especially
in large corporations, but a lot of companies are moving towards that because you get to
more of a trusted model where you only allow whitelisted applications. That's all fine
and dandy, but all the whitelisted applications we use as an exploit play field, so it doesn't
really do much good. So we're going to use that as well, okay? And we really don't
really need to slide on that, but kind of put it in there.
Filler. Just do anything and it's good, so here we go. Monitoring and detection. Could
be a good concept, because you want to detect these attacks. Most companies outsource them
to MSSBs who have no idea what their network is, anything about their data, and they're
looking for port scans. Sounds good. That's our monitoring and detection.
Content filtering works awesome. No, it does not. It doesn't work really well. We're not
work at all. Why? We can change the content. Exactly. That's all I got to say about that.
So is everybody ready for one of the most epic demos ever? This is one of the most epic
demos ever. You don't hear that a lot in talks. Bring out your chicken. All right. So what
we're going to do here, and this could go horribly wrong or go horribly right, okay? I've
actually got a customer who said that he would let us social engineer somebody on stage real
time. And I can't think of anybody else better to do it than one of my good friends, Kevin
Mitnick, up here. So what I'm going to do first is I'm going to give Sam a call just
to make sure that he's still good and hasn't chickened out yet. So we give Sam a call,
make sure he's all good with it, and then as soon as we're good with it, we're actually
got five numbers. So this could go horribly wrong where we don't get anybody, all right?
Or it could go horribly right and be fucking awesome. So either way, we'll figure it out.
So hopefully you don't see this right now, so that's fine. Let's see what you're
seeing on the screen right now. Just blank? Okay, cool. I don't want to give the phone
numbers out. Because you guys are crazy sons of bitches.
Not going to lie. So give us one second here to set this up.
All right. You ready? All right. Mirror display. Yes, I have live shell windows up. All right.
Let's give them a call. Oh. So can everybody see the screen with the shells up? Yep. Good.
All right. Let's do this.
That sounded like it hurt. See, Paul, that's how you roll it. You
got to put a rock inside of it. The Browns are recruiting? We still have them?
Hey, Sam, it's Dave. Kenny, how you doing? I'm doing well. How are you? Good, good.
Hey, I just wanted to verify that we're still good to do our little thing that we agreed upon.
We're talking in front of everybody at DEF CON right now. Are you cool with that? Oh, yeah.
That's perfect. All right. Listen, we're going to try to keep the company in mind as much as
possible. I'm going to expect the audience to be very tame and not start tweeting about the
company unless, in fact, if they accidentally say their name on the phone or something like that.
Is that okay? Is that good with everybody? That's perfect. All right. Just a couple questions
real quick. And, again, we're not going to use any of this for our attack. We just want to see what
type of technologies you have in place, okay? So first of all, are you using some sort of next-gen
firewall that's one of the top providers out there? Yes, that's right. All right. Are you using
any type of white listing technology? Yes, we are. Do you do egress filtering? Yes. All right.
And then as far as anything else, do you have any type of, like, virtualization sandboxing
technology at your SMTP gateways? Absolutely we do. All right. Thanks, Sam. I'll give you a
call back after this is done. I'll let you know how it goes. Okay. I look forward to it.
Thank you. Thanks, man. Bye. Let's see how it goes.
Get the hell away from me.
All right. Everybody see that?
All right. We got it.
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We got three more to go, so bear with us. We're going to keep trying until we get it.
Dance, chicken, dance. What are we paying you for?
Yes, may I speak to James, please? Hello? Hello?
There's a message.
Yeah, James? Hello, James? James, can you hear me? Oh, great, great. This is Tom
Beaudet over with the HR department, specifically benefits. How's it going today? Hello?
I'm sorry, I'm having issues with my phone. Is this James? Oh, great, great, great. This is
Tom Beaudet. I'm over with HR. I work specifically in benefits. And I sent you a ‑‑ we sent
you over a form about a week ago on our benefits privacy form. Did you actually receive it?
I don't remember seeing it. You don't. Well, unfortunately, I'm calling several people.
You're the eighth person I'm talking to today. We must have had an issue getting them out.
And we have to send you this form because legal is requiring that you accept a new policy.
It's part of a legal requirement to continue receiving benefits. So it's kind of important.
And we need to get this done today. It's Friday. And do you have a moment? Do you have a fax
machine? Or do you have ‑‑ do you have a phone? Do you have a phone? Do you have a phone?
Or do you have a computer handy? Or better yet, are you near your PC? I'm at my computer.
Can you ‑‑ do you have a moment? Sure. Okay, okay, great. If you could open up a
browser, like do you use Internet Explorer or Firefox? Yeah, we have Internet Explorer.
Okay. If you can go ahead and open it up for me. Okay. And what we're going to do is
we're going to ‑‑ I'm just going to have you accept the new policy over your computer so you
don't have to go ahead and fax it to us. It makes it easier and quick so you don't have to fill out
a form. Okay. Tell me when you're ready. I'm ready. Okay. If you can go to www.health,
H-E-A-L-T-H, health, benefits, health, health, H-E-A-L-T-H, H-E-A-L-T-H, H-E-A-L-T-H,
benefits, and this is all one word, no spaces, portal.com. So that's
www.healthbenefitsportal.com. And tell me when you get there.
Healthbenefitsportal.com. Correct. And you should ‑‑ when you get there,
you should, like, see a pop‑up. When the site loads, you should see a pop‑up come up.
Yeah.
Repeat that.
. Yeah, click okay. That's right.
Okay. Now go ‑‑ now, since you clicked okay on the pop‑up, we went ahead
and just automatically accepted the policy. So if you receive that ‑‑ if you find that e‑mail or
you find that in spam that we sent you earlier, just go ahead and ignore it because everything is
fine. Oh, that's it? Well, unfortunately, I have to call six more people that didn't fill out
the form either. So I'm going to go ahead and go ahead and go ahead and go ahead and go ahead.
Yeah. It's kind of my Friday work. All right.
All right. Well, have a great weekend and talk to you soon.
All right. All right. Take care. Bye‑bye.
Good work.
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encoded and then you can get around execution restriction policies. We don't have to worry
about execution restriction policies. In Windows 7, 8, etc., we have the ability to directly
access memory without ever touching disk on a white listed process. Sounds pretty awesome,
right? So I recently released what's called a native
X86 downgrade attack through PowerShell which allows you to natively ‑‑ so if you're
on a 64‑bit platform or an X86 platform, it doesn't matter, it will automatically downgrade
the process to an X86 process to allow you to inject native 32‑bit shell code into
memory to actually execute. So basically we have full execution on all systems through
PowerShell no matter what. And as you saw here, whew, again, we were able to basically
circumvent a lot of the different types of technologies out there. And this one was special
custom shell code that basically encrypts the first stage, puts it back, and then you
use the Shikata set stage encoding to true to do the second stage that's polymorphic.
So it worked out well.
By the way, it's all default and set right now. So you can use this right now and set.
So the truth is, you know, since hacking is a people problem, it's people coming up
with new ways to get into organizations. It's people that are sitting there attacking
our infrastructure. It's people that are continuously trying to attack us. It cannot be solved solely
by the use of technology. That's not going to fix the security issue. You know, technology
itself isn't going to fix the problems that we face. Okay. And so DevOps in depth, air
quotes, taken way out of context. It doesn't mean using multiple technology layers, it
means using multiple layers in general. This is why these things do not work. They're not
implemented correctly. Why? The main reason why we have the problems today is we're lazy.
Anybody agree with that? Okay. Yeah. We are lazy bastards. If we need Impermanence and
seriously. I mean, we expect that we don't have enough staffing, we don't have enough
funding, we don't have enough of this, so what we're going to do is we're going to buy
a piece of technology, right? We're going to implement it. We don't have enough people
and resources to support any of the other technology that we have, so those go to waste.
Then we focus our six months to a year roadmap cycle of implementing this into our company
while the rest of it goes to crap. And then we implement something else and then we continue
to do something else again and we buy more and more. So what I'm going to introduce to
you is revolutionary, I know. It's a 12‑step program. I came up with this, okay?
So this is a 12‑step program of actually fixing security. And it's not going to cost
you a penny, all right? I'm a big advocate of being able to do things that don't cost
you a ton of money that you really can fix. So the first thing is get your hands dirty.
We actually have to talk to people ‑‑ trust me, I know. We actually have to talk to people
and interact with them and figure out our business and how they actually make money
and how we actually have assets.
And how do we protect those assets? That's important, right? That requires us to actually
do some work ahead of time. Step two ‑‑ now, is Bill and Ted in the 80s or 90s? I
might have screwed that up. Early 90s. Thank you, sir. Thank you.
Thank you. So we're good with that. So getting back to the 90s, all right, I remember sitting
there and hearing, hey, here's how you build a firewall, here's how you do egress filtering,
here's how you do network segmentation. Like all those core critical concepts that we don't
do today on our flat networks and our flat infrastructure make it so much easier for me as an attacker
that once I compromise one machine, I'm into the rest of them. So isolating people to only
access that they need, data that they need, systems that they need. Segmenting accounting
and finance and everybody else away from each other so that they only have access to certain
systems. Those are concepts that we built in the 90s. I know, again, revolutionary.
I'm a heretic talk here. I'm serious. And this works. A recent engagement, really
small, we ‑‑ what we just did would not work. They didn't have anything revolutionary.
They're just using exactly what Dave just said. Proper follow‑up rule sets. Segmented
networks. We could not perform this. We had a custom executable that we actually had used
the week before at a large organization. I think the fish we ‑‑ it was about like
a thousand shells or something like that. It was one that just kept popping up. It was
sort of like really cool to watch. But it's completely true in the real world.
Now education awareness. Interesting concept. I know, new, revolutionary. We haven't been
talking about this a lot. Education awareness really trying to touch our people because ‑‑
Well, well, well. Bruce and I thought ‑‑
Never mind. Never mind. We're not going to go into that right now. Bruce Snyder. Anyways.
So education awareness is a concept to really focus on people. You know, making sure that
they understand key concepts. We all know that. Making security your friend. You know,
they want ‑‑ people want hugs. There's no question about it. Except for Andrew from
Maltego. He only gives me one on his birthday every year. But other than that, he wants
hugs. But making friends with security. Making sure that we're more of an inhibitor of the
business versus something else. Step five.
That's my favorite. The one‑year challenge. Don't buy a damn thing for an entire year.
Not a whole thing. Not one thing for a year. Stay away from something and focus on what
you already have and start focusing on that defensive strategy around security. Because
at the end of the day, that's what's going to make it or break it for your company. This
is my thing in security right here. If it introduces complexity, it doesn't need to
be in your environment. If it's simple for you to understand, then you should put it
it in your environment. Like something that's going to take you four years to implement,
dude, really? Seriously? That's where we're at right now? You need to focus on the basics,
getting back to the easy things because that's ultimately what's going to stop us. Penetration
testing, okay, I'm a little bit biased here. But understanding where your risks and identifying
your risks and simulating that and getting people that can actually help you out on that
side. Was this step nine? Eight, okay. Take a one‑week hiatus. Go get your chi, grab a beer, sit
for a week and actually think about what you're going to do and how you're going to do it.
Because we come into this thing where we're firefighting every single day. And so we don't
do anything. We sit there and we firefight and firefight and firefight. Take a week back, crack
open a beer. I know this is an AA meeting but it's okay. Crack open a beer and you'll be fine.
One book I have to thank Chris Nickerson for that actually changed my life. It's called
Rework.
Rework. Read this book. It's one of the most fantastic books and you apply it to security
and it actually really works. It's the guys from 37 signals that wrote it. It was actually
amazing. Step ten, I talked about this a little bit, but removing complexity from what
you've written and going back to the basics. Step 11, actually just do it. Don't like pontificate
and talk about doing it. Actually go and do it. Change it. And lastly, just rinse and
repeat. Do the same thing over and over again and you'll be fine. Thanks, everybody.
Appreciate it.
Thank you very much.
.
